America is switching over to chip-based credit cards. And this means big, big changes for credit card security.

If you’re an American with a credit card, the odds are good you received a replacement card in the mail lately. These cards, with an embedded chip inside referred to as an EMV, are part of a major shift in the way credit cards work in America: In late 2015 and going into 2017, financial liability for credit card fraud will shift to stores and merchants if they don’t accept these EMV chip cards. This means that store owners are rushing to buy the expensive equipment to process EMV chip cards, and card issuers are pumping out cards as quickly as customers can activate them.

advertisement

advertisement

The United States is a holdover in adopting chip credit cards; they were adopted in most other wealthy parts of the world years ago, but did not enter into the American economy as banks and merchants argued who would be responsible for the cost of the changeover. This writer personally remembers a cashier at an English corner shop in a working-class corner of east London in 2011 laughing at loud at his credit card, wondering why a country so powerful had credit cards so crappy.

But the shift over to these credit cards has meant new and more sophisticated measures for credit card security. These changeovers are taking place whether you stand on line at a supermarket, buy goods online, or even just pay your utility bill.

Starting today, credit card issuers that don’t send customers EMV chip cards and retailers that don’t implement EMV chip readers will be on the hook financially for credit card fraud. Some retailers are opting to bite the cost by raising prices for customers instead of going through the (expensive and time-consuming) process of training employees to use the new card readers and install equipment, but others are looking for new ways to reduce fraud with the new chip cards.

Kevin Levitt, vice president of Business Development at Credit Karma, a customer-oriented credit card information portal, told Fast Company that “In the near term, chip technology on credit cards presents a learning curve for consumers as they come up to speed on how to use the card at point of sale–dipping rather than swiping–as well as the security benefits of the technology.”

And these changes are much more difficult for retailers. “While many of the major retailers transition to new point of sale systems, the question for small to mid-size retailers is whether or not the benefits of chip technology are reason enough to invest in new POS terminals immediately,” he added. “Since this is the first change in credit card technology at mass scale, we are interested to see if consumers are more apt to utilize the transition time to explore new payment technologies such as NFC and other contactless payment methods.”

In other words: Customers and retailers are going to be confused about the necessary switchover. There’s also a change that comes with the adoption of chip cards in America. Credit card companies are expecting that a lot of credit card fraud will take place online rather than with forged credit cards at retail stores. That’s why one credit giant is experimenting with “selfie pay.”

MasterCard, which is partially responsible for EMV’s name (EMV, as it turns out, stands for Eurocard, MasterCard, Visa after the protocol’s creators), is testing out a new product they refer to as “Selfie Pay.” In trials taking place in the United States and Europe, customers will be able to verify their identity for mobile e-commerce purchases by…yes, taking a selfie.

In the pilot project currently underway, taking place with Silicon Valley’s First Tech Federal Credit Union and other stakeholders, every time a customer makes a MasterCard purchase using an app on their phone, a picture is taken of them. The picture is essentially used to authenticate the user’s identity in two-step authentication on top of the password, and is cross-compared against a picture of the user MasterCard has on file.

According to Ajay Bhalla, president of MasterCard’s enterprise solutions division, the adoption of EMV chips led to fraud at in-person points of sales reducing by 80%. But as he put it, “fraudsters migrate to the digital world” as in-person purchases get safer.

The giant credit card provider is also working on several other biometric two-factor authentication tests. These include heartbeat readers worn on a user’s wrist, which essentially uses a heartbeat as an individual signature, and voice recognition or iris recognition projects.

Eye recognition figures greatly in another biometric project from the finance world that, even though it doesn’t involve credit cards, gives a hint of where credit card authentication is going.

Secil Watson, the head of wholesale Internet solutions for Wells Fargo, has a challenge: Her division is responsible for the infrastructure that lets corporate clients conduct extremely large transactions online. Currently, authenticating these transactions means using passwords that have to be replaced every few months and using physical tokens with their phones or computers.

advertisement

“When we do wire approvals, it involves potentially tens of millions of dollars being approved in one session,” Watson told me. “So risk management is crucial.” This risk management increasingly takes the form of biometric authentication of users. Every time a user loses their password or misplaces their physical password, it’s an expensive and cumbersome process for Wells Fargo: Biometrics, which are built into a user’s body, are much cheaper.

One element Wells Fargo is testing is iris recognition and the blood vessels in a user’s eyes. An app on the phone takes a picture of a user’s eyes, and then extrapolates data points from it to use as a secondary form of identity verification.

They’re also counterintuitive. As Watson explained, “Eye veins aren’t something that come to mind first because as humans, we don’t use eye veins as a data point for recognition. People think of faces and voices instead because that’s how humans naturally recognize humans, but there are more data points in the whites of our eyes a machine can capture and process!”

But all of these solutions are coming to mobile and to desktop computers first, rather than to retailers. This is for a simple reason: usability. Speaking off the record, several experts in the field said that stores and restaurants are uncontrolled environments where biometric systems could easily fail due to either employees not being used to operating them, customers becoming impatient, or background noise or poor lighting rendering verification systems useless.

This ordinary, day-to-day chaos of regular humanity doing their regular thing remains a challenge for merchants and card providers looking to work with biometrics. While Bhalla assured me his company’s system of image verification works when there’s poor lighting or lots of people moving in the background, Watson told me user behavior was a challenge Wells Fargo had to take into account. Although she knew image verification wouldn’t work as planned when a user say, snapped a picture of themselves while walking through an airport or in a poorly lit train station, users expected it to work and were surprised when it didn’t. Accounting for that ordinary user interface issue is a big challenge her team continues to face.

For Bhalla and MasterCard, a large part of it is educating merchants, card issues, and customers. “We have a good user experience, but we need to figure out a way to keep making it better and perfect it,” he told me. “We need to train stakeholders and get everyone to get up to speed with technologies. It’s much easier than anything else.”